In Dillon v Irish Life Assurance plc [2024] IEHC 203, the High Court has held that proceedings brought by a plaintiff seeking damages for inter alia distress, upset and anxiety arising from an alleged data breach required prior authorisation from the Personal Injuries Resolution Board (’PIRB’) (now known as the Injuries Resolution Board).
Background
The plaintiff, who was the owner of a life assurance policy with the defendant, issued proceedings after the defendant had allegedly sent letters containing the plaintiff’s personal data to an unauthorised third party.
The plaintiff claimed that on account of the defendant’s negligence and breach of duty, including statutory duty, he had suffered “distress, upset, anxiety, inconvenience, loss and damage”. The Circuit Court dismissed the proceedings on the basis prior authorisation had not been obtained from PIAB, as required by the Personal Injuries Assessment Board Act 2003 (‘2003 Act’). The plaintiff appealed this decision to the High Court, arguing that it was not a personal injuries claim but instead a claim for non-material damages pursuant to the GDPR (as implemented in Ireland by the Data Protection Act 2018 (‘2018 Act’)).
A ‘Civil Action’ within the Meaning of the 2003 Act?
The High Court identified the key issue it had to consider as being whether the plaintiff’s case fell within the definition of a “civil action” for the purposes of the 2003 Act. If it did, prior authorisation from PIAB would be required.
Section 4(1) of the 2003 Act provides that a “civil action” is an action in respect of a wrong, that is pursued for the purpose of recovering damages and the damages are for personal injuries.
What constitutes a “wrong” is itself defined in the Civil Liability Act 1961 and the court noted earlier authorities, such as the Supreme Court decision in Clarke v O’Gorman [2014] IESC 72, which described it as having the “broadest application”.
The High Court then had to consider if the damages sought by the plaintiff for “distress, upset, anxiety, inconvenience, loss and damage” fell within the definition of personal injury in the 2003 Act, namely any disease or impairment of a person’s physical or mental condition.
The court held that “inconvenience, loss and damage” could not be treated as a description of a personal injury but on the other hand, “anxiety and distress” could, in some cases, amount to an impairment of a person’s mental condition. The Personal Injuries Guidelines limit recovery of damages for non-physical injuries to cases of recognisable psychiatric illness or injury, while upset, distress, grief, disappointment and humiliation do not attract compensation. However, the court held that the fact the claimed impairment did not warrant an award of damages did not take the claim outside of the definition of what constitutes a personal injury in the legislation.
The High Court, therefore, held that the plaintiff’s claim did amount to a “civil action” for the purposes of the 2003 Act.
Remedy under the GDPR
The plaintiff had argued that his claim was one for non-material damage as allowed for under the GDPR (as implemented in Ireland by section 117 of the 2018 Act (‘s.117’)) and not a personal injuries claim. However, the court noted that while there was a claim for breach of statutory duty, which could be treated as a claim pursuant to s. 117, there were also general pleas of negligence and breach of duty.
In any event, the High Court held that it does not automatically follow that if a claim is found to be for damages under s. 117, PIAB authorisation will not be required. S. 117 allows for compensation for damage suffered on account of an infringement of the data protection legislation and if the injured party seeks a remedy under the section which amounts to damages for personal injuries in respect of a wrong, authorisation under the 2003 Act will still be required.
Keane v Central Statistics Office
The High Court noted that this case differed in a number of respects from the earlier Keane v Central Statistics Office [2024] IEHC 20 (‘Keane’), in respect of which the cause of action predated the GDPR and so did not include a claim for compensation pursuant to s. 117.
In the Keane judgment, the High Court held that the plaintiff was required to make an application to PIAB for assessment in respect of a claim arising from an alleged data breach in which damages were sought for stress and anxiety, which were claimed to have impacted sleep and appetite and exacerbated symptoms of psoriatic arthritis.
In Dillon, there was far less emphasis on medical consequences resulting from the breaches, with the plaintiff arguing that “stress and anxiety” were descriptors of his emotional reaction to the breach and their ordinary language meaning was not a description of an “impairment” of his “mental condition”.
However, despite this lack of focus on medical factors and the fact the plaintiff’s action did include a claim that could be treated as one pursuant to s. 117, the court came to the conclusion that, like Keane, the claim fell within the definition of a “civil action” for the purposes of the 2003 Act.
Conclusion
The Dillon judgment highlights the relatively broad ambit of claims that can be classified as a “civil wrong”, as defined and how, therefore, a case may inadvertently come within the remit of the 2003 Act. Claims for compensation under the provisions of the GDPR/s.117 will not necessarily fall outside the 2003 Act and parties to a data breach claim will need to carefully consider the requirement for Injuries Resolution Board authorisation.
